[Owasp-testing] Testing Guide V4: Stop writing, start the review

Matteo Meucci matteo.meucci at owasp.org
Tue Apr 22 07:36:36 UTC 2014


Hi Irene,
yes please do now. Samantha is starting the final review phase.

We need to stop writing on the wiki asap.

Thanks,
Mat

On 04/22/2014 12:29 AM, Samantha Groves wrote:
> Are we still reviewing or can Jane get started on the copy?
> 
> 
> On Mon, Apr 21, 2014 at 3:21 PM, Irene Abezgauz <irene at quotium.com
> <mailto:irene at quotium.com>> wrote:
> 
>     As we’re doing the final bits – ____
> 
>     __ __
> 
>     I’ve reviewed a bunch of articles and have them in a word file (With
>     track changes), didn’t input them into reviewers spreadsheet or the
>     wiki of the project.____
> 
>     __ __
> 
>     __ __
> 
>     *In terms of project timelines – still possible to commit those?____*
> 
>     *__ __*
> 
>     *__ __*
> 
>     __ __
> 
>     I’ve got reviews with corrections for:____
> 
>     *Testing for Sensitive information sent via unencrypted channels
>     (OTG-CRYPST-007)**____*
> 
>     	
> 
>     some additions and changes____
> 
>     *Enumerate Infrastructure and Application Admin Interfaces
>     (OTG-CONFIG-005)**____*
> 
>     	
> 
>     minor changes, added tools____
> 
>     *Testing for Account Enumeration and Guessable User Account
>     (OTG-IDENT-004)**____*
> 
>     	
> 
>     seems to currently have two pages - one 'old' and one 'new content',
>     with 'new content' being unfinished. Have corrections for old. ____
> 
>     *Testing for cookies attributes (OWASP-SM-002)____*
> 
>     	
> 
>     minor edits____
> 
>     *Testing for Stack Traces (OWASP-IG-XXX)____*
> 
>     	
> 
>     minor edits and changes, needs to be assigned a category number____
> 
>     *Testing for Error Code (OWASP-IG-006)____*
> 
>     	
> 
>     some additions, minor changes____
> 
>     *Testing for HTTP Parameter pollution (OWASP-DV-004)____*
> 
>     	
> 
>     no changes____
> 
>     *Testing for Session puzzling (OTG-SESS-010)____*
> 
>     	
> 
>     minor changes____
> 
>     *Test Session Timeout (OTG-SESS-008)____*
> 
>     	
> 
>     minor changes____
> 
>     *Testing for XPath Injection (OWASP-DV-010)____*
> 
>     	
> 
>     minor change____
> 
>     __ __
> 
>     __ __
> 
>     the following has an entry which is currently not updated:____
> 
>     _https://www.owasp.org/index.php/Testing_for_Weak_or_unenforced_username_policy_%28OWASP-AT-009%29_____
> 
>     	
> 
>     *Testing for Weak or unenforced username* *policy (OTG-IDENT-005)**____*
> 
>     	
> 
>     needs to be rewritten____
> 
>     __ __
> 
>     __ __
> 
>     And I suggest per recommendation already in the spreadsheet and
>     after looking at both – to unite Test Upload of Malicious Files
>     (OTG-BUSLOGIC-016) with Test Upload of Unexpected File Types
>     (OTG-BUSLOGIC-015) should indeed be merged (separating them into
>     malicious file upload and malicious file extension seems redundant),
>     can easily rewrite.____
> 
>     __ __
> 
>     Irene ____
> 
>      ____
> 
>     __ __
> 
>     __ __
> 
>     *From:*owasp-testing-bounces at lists.owasp.org
>     <mailto:owasp-testing-bounces at lists.owasp.org>
>     [mailto:owasp-testing-bounces at lists.owasp.org
>     <mailto:owasp-testing-bounces at lists.owasp.org>] *On Behalf Of
>     *Samantha Groves
>     *Sent:* Friday, April 18, 2014 6:59 PM
>     *To:* Matteo Meucci
>     *Cc:* owasp-testing at lists.owasp.org
>     <mailto:owasp-testing at lists.owasp.org>
> 
> 
>     *Subject:* Re: [Owasp-testing] Testing Guide V4: Stop writing, start
>     the review____
> 
>     __ __
> 
>     End of August is when the project should end, but I believe we will
>     finish earlier as Joan and Hugo are on the last bits of the work.
>     Thank you for the feedback on the covers, Matteo. :-)____
> 
>     __ __
> 
>     On Fri, Apr 18, 2014 at 6:12 AM, Matteo Meucci
>     <matteo.meucci at owasp.org <mailto:matteo.meucci at owasp.org>> wrote:____
> 
>     We are under final review.
> 
>     Samantha, we have a final date for the release?
> 
>     Thanks,
>     Mat
> 
> 
> 
>     On 04/18/2014 03:10 PM, Lovelace, Sunni wrote:
>     > Is there a release date for Testing Guide V4?.____
> 
>     >
>     >
>     >
>     > -----Original Message-----
>     > From: owasp-testing-bounces at lists.owasp.org
>     <mailto:owasp-testing-bounces at lists.owasp.org>
>     [mailto:owasp-testing-bounces at lists.owasp.org
>     <mailto:owasp-testing-bounces at lists.owasp.org>] On Behalf Of Jim Manico
>     > Sent: Tuesday, April 01, 2014 5:13 PM
>     > To: Matteo Meucci; owasp-testing at lists.owasp.org
>     <mailto:owasp-testing at lists.owasp.org>
>     > Subject: Re: [Owasp-testing] Testing Guide V4: Stop writing, start
>     the review
>     >____
> 
>     > Wow, very exciting. :) I'm thrilled to see this close to getting
>     released!
>     >
>     > Aloha,
>     > Jim____
> 
>     >
>     > On 4/1/14, 10:47 AM, Matteo Meucci wrote:
>     >> Hi all,
>     >> the reviewing phase is finished.
>     >> Some reviewers did the review, but it is not complete.
>     >>
>     >> Please if you have reviews to add to the wiki do it now.
>     >>
>     >> In the next days we will start the last phase of the project.
>     >>
>     >> Thanks!
>     >> Mat
>     >>
>     >> On 04/01/2014 04:03 PM, Mitchell, Rick (6030318) wrote:
>     >>> I had some time to tackle more review this morning. I only made
>     it through the first few sections, here are some notes:
>     >>>
>     >>> Testing: Conduct search engine discovery/reconnaissance for
>     >>> information leakage (OTG-INFO-001)
>     >>> * Lead-in paragraph indicates: " Indirect methods relate to
>     gleaning sensitive design and configuration information by searching
>     forums, newsgroups and tendering websites." Yet no such information
>     is covered in the entry. IMHO either this article needs to be beefed
>     up or the statement should be removed.
>     >>> * Made minor corrections related to punctuation (addition of
>     Oxford commas and some missing periods, as well as borders on images).
>     >>>
>     >>> Fingerprint Web Server (OTG-INFO-002)
>     >>> * Minor updates, grammar and content.
>     >>> * Makes me wonder if we have a style guide? Are we supposed to
>     be using Title Caps for section naming?
>     >>>
>     >>> Testing: Review Webserver Metafiles for Information Leakage
>     >>> (OTG-INFO-003)
>     >>> * Reference links in this article are confusing. For example:
>     [1] in the "Summary" section is not the same as [1] in the "How to
>     Test" section...
>     >>> * Minor updates, grammar and content.
>     >>>
>     >>> Rick
>     >>>
>     >>>
>     >>> -----Original Message-----
>     >>> From: owasp-testing-bounces at lists.owasp.org
>     <mailto:owasp-testing-bounces at lists.owasp.org>
>     >>> [mailto:owasp-testing-bounces at lists.owasp.org
>     <mailto:owasp-testing-bounces at lists.owasp.org>] On Behalf Of Matteo
>     >>> Meucci
>     >>> Sent: Saturday, March 08, 2014 6:25 PM
>     >>> To: owasp-testing at lists.owasp.org
>     <mailto:owasp-testing at lists.owasp.org>
>     >>> Cc: Andrew Muller; Davide Danelon
>     >>> Subject: [Owasp-testing] Testing Guide V4: Stop writing, start the
>     >>> review
>     >>>
>     >>> Dear OWASP Testing Guide followers.
>     >>> thanks to David who did the last rush, we have closed the Testing
>     >>> Guide Project's first phase!
>     >>> Many thanks to all the contributors!
>     >>>
>     >>> All the articles are closed now.
>     >>> Now it is time for the reviewers.
>     >>>
>     >>> You can see the status here:
>     >>>
>     https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0AmEhPtZ0cHq3
>     >>> dDc5ZFI0Nm9oSkhzNkNxTzNJbGdPdVE#gid=0
>     >>>
>     >>> Now the ToC is definitive:
>     >>>
>     https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Conte
>     >>> nts
>     >>>
>     >>> We deleted many items and 3 chapters:
>     >>> - Web Services Testing (no completed at all, it's better to have a
>     >>> separate guide on this)
>     >>> - Logging (not in scope of the wapt)
>     >>> - Denial of Service (not in scope of the wapt)
>     >>>
>     >>> Now we have split the set of active tests in 12 sub-categories for a
>     >>> total of 91 controls:
>     >>> Information Gathering
>     >>> Configuration and Deploy Management Testing Identity Management
>     >>> Testing Authentication Testing Authorization Testing Session
>     >>> Management Testing Data Validation Testing Error Handling
>     >>> Cryptography Logging Business Logic Testing Client Side Testing
>     >>>
>     >>> NEXT STEP:
>     >>> We'll contact all the proposed reviewers asking them to review the
>     >>> Guide in the next 2 weeks:
>     >>>> Paolo Perego
>     >>>> Daniel Cuthbert
>     >>>> Matthew Churcher
>     >>>> Lode Vanstechelman
>     >>>> Sebastien Gioria
>     >>>> Antonio Fontes
>     >>> Any others that want to help? Please answer only if you can review
>     >>> the guide in the next days.
>     >>>
>     >>> Deadline: end of March 2014
>     >>>
>     >>> Thanks!
>     >>> Mat & Andrew
>     >>>
>     >>> --
>     >>> Matteo Meucci
>     >>> OWASP Testing Guide co-Lead
>     >>> OWASP Italy President
>     >>>
>     >>>
>     >>> _______________________________________________
>     >>> Owasp-testing mailing list
>     >>> Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
>     >>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>     >>> _______________________________________________
>     >>> Owasp-testing mailing list
>     >>> Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
>     >>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>     >>>
>     >
>     > _______________________________________________
>     > Owasp-testing mailing list
>     > Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
>     > https://lists.owasp.org/mailman/listinfo/owasp-testing____
> 
>     > ====================
>     > This email/fax message is for the sole use of the intended
>     > recipient(s) and may contain confidential and privileged information.
>     > Any unauthorized review, use, disclosure or distribution of this
>     > email/fax is prohibited. If you are not the intended recipient, please
>     > destroy all paper and electronic copies of the original message.____
> 
>     >
> 
>     --
>     --
>     Matteo Meucci
>     OWASP Testing Guide Lead
>     OWASP Italy President____
> 
> 
> 
>     ____
> 
>     __ __
> 
>     -- ____
> 
>     *Samantha Groves, MBA*____
> 
>     /OWASP Projects Manager/____
> 
>     __ __
> 
>     The OWASP Foundation____
> 
>     Phoenix, USA____
> 
>     Email: samantha.groves at owasp.org <mailto:samantha.groves at owasp.org>____
> 
>     Skype: samanthahz ____
> 
>     __ __
> 
>     OWASP Global Projects
>     <https://www.owasp.org/index.php/Category:OWASP_Project>____
> 
>     Book a Meeting with Me <http://goo.gl/mZXdZ>____
> 
>     OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>____
> 
>     New Project Application Form <http://www.tfaforms.com/263506>____
> 
>     __ __
> 
>     __ __
> 
> 
> 
> 
> -- 
> 
> *Samantha Groves, MBA*____
> 
> /OWASP Projects Manager/
> 
> /
> /
> 
> The OWASP Foundation
> 
> Phoenix, USA
> 
> Email: samantha.groves at owasp.org <mailto:samantha.groves at owasp.org>
> 
> Skype: samanthahz 
> 
> 
> OWASP Global Projects
> <https://www.owasp.org/index.php/Category:OWASP_Project>
> 
> Book a Meeting with Me <http://goo.gl/mZXdZ>
> 
> OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>
> 
> New Project Application Form <http://www.tfaforms.com/263506>
> 
> 
> 

-- 
--
Matteo Meucci
OWASP Testing Guide Lead
OWASP Italy President


More information about the Owasp-testing mailing list